According to a PCWorld article from earlier this morning, researchers from computer security research group Gibson Security have discovered (and published a proof-of-concept code for) a vulnerability in Snapchat that could potentially give hackers the ability to quickly find user phone numbers through abusing the legitimate 'find_friends' feature of the Snapchat API.

Snapchat, a popular photo messaging and sharing app, is best known for giving users the ability to allot a time period for the photos they send. Once the user that views the Snapchat message, the picture is automatically deleted after that specified time period is up.

Gibson Security actually revealed the vulnerability back in August, but on December 25, the researchers finally decided to release two exploits (the aforementioned "find_friends" as well as a separate issue) because they said Snapchat failed to fix the issues in those four months. So what did they do?

"We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers). We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z's - in approximately 7 minutes on a gigabyte line ona virtual server."

The researchers went on to say that they estimate that at least 5000 numbers could be tested in a minute and that in one month, an attacker could fly through around 292 million numbers...on a single server.

Snapchat wasn't immediately available for comment, according to PCWorld. You can read the full article by clicking the aforementioned link.

(Source: Google Images)

Jasper_The_Rasper also posted about this vulnerability (with links to another article as well as the aforementioned proof-of-concept) here on the Community forums.

Two days after hackers leaked 4.6 million usernames and phone numbers , Snapchat finally responded and confirmed (via a blog post) the leak, according to a recent VentureBeat article. While the delay is understood (the info was leaked on New Year's Eve and New Year's Day is a holiday), the more pressing issue is the company's lack of an apology. Here is part of their response:

"We acknowledged in a blog post last Friday that is was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks."

A researcher from Gibson Security (the group who discovered the vulnerability) says that he believes that the troubling issue here is that Snapchat isn't taking the warning seriously, likely believing it to be nothing more than a theoretical bug rather than a legitimate security vulnerability, which it clearly is. The hackers who released the database that exposed the usernames and phone numbers are also frustrated, claiming that the point of releasing that database was to make Snapchat aware and to patch the vulnerabilities.

However, while Gibson Security sees why the hackers carried out the attack on Snapchat, they believe they took it too far and are not sure if their motivation was 'genuine', saying they could have "at least censored more of the phone numbers." Gibson also made a tool available on their website to help users see if they were affected.

That is an excellent question, and I have not seen anything posted regarding that either. Here is a link to the entire Blog article that Snapchat posted regarding this issue. I didn't see anything in the article that would answer the question, but I might have missed it.

What I DID see however, was an email address at the end of the 5th paragraph that they invite users to use to report potential vulnerabilities. I would suggest using that email address as a starting point in attempting to contact them regarding this one.